You think you've nothing to steal? Hackers don't agree.

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/you-think-youve-nothing-to-steal-hackers-dont-agree/article/403083/

The value to hackers of any single website is not widely understood.

The information security and hacking industries follow the basic laws of
human behaviour, and the latter exploit common human weaknesses, such as
laziness or negligence. With Heartbleed the human factor was much more
critical than any technological flaw. Very few hosting companies and data
centres patched their systems in the 24 hours after the patch had become
available, thinking that nobody would bother to exploit the vulnerability
and break into their servers. But they did.

When a global vulnerability becomes public, hundreds of hacking teams
around the world immediately start exploiting it in automated or
semi-automated mode, while IT teams are usually focusing on other tasks and
ignoring the flaw.

Thousands of crawlers and auto-exploit bots are constantly browsing the web
looking for easy targets. Hackers usually don't target any particular
system or company, they just try to compromise and backdoor as many large
systems as they can, though systems with large amounts of personal data and
credentials are the most attractive targets. Such systems may be web
hosting control centres used by customers to manage their accounts,
websites, personal clouds, and emails.

A compromised hosting company can very be valuable to hackers. First they
will dump the database with logins and passwords from all customer
accounts. The more data they have, the more money they will make in the
future.

Usually, after a database is stolen - it will be sold to numerous teams and
individuals specialised in collecting and re-selling Big Data on the Black
Market. These people know whose data may represent value for various
customers, from mafia to governmental entities, a point that ‘technical'
hackers usually don't know and don't want to do.

In addition to the obvious vectors of stolen data exploitation, such as
credit cards, there are many risks that people just do not realise. Once
cyber-criminals get access to your account on a hosting company, they can
do plenty of nasty things. The most frequent problems are password re-use
and the professional use of a personal email account. If you are working in
a large company, hackers will search your inbox for professional emails
that may help them to get into your company's network.

Often network administrators send highly-sensitive data, such as corporate
credentials or VPN access, to their colleagues' personal emails just
because it is easier or faster, or a minor technical problem prevents them
from transmitting the data in a secure way. Corporate security policies
cannot really prevent human negligence or laziness.

Hillary Clinton recently used her personal email address for critical state
communications, clearly demonstrating that even the most robust structures
are often powerless against common human weaknesses. Many people don't
realise that their email account may be used for password recovery on
numerous other accounts (eg e-banking or social networks). Web services
still often send user credentials to their customers in plain text via
email, and people don't think about removing such emails from their
inboxes. A simple email address can be an Alibaba's cave for hackers who
can directly or indirectly access gigabytes of valuable information from
your inbox to sell on the Black Market.

Your website, even if it's a small personal blog, may also represent high
value for hackers. If you have important people in your business or
personal environment (eg customers, partners, friends), your website in
combination with your email address provide perfect attack vectors.

An email will be sent from you to a VIP target, suggesting that they open a
legitimate-looking URL on your website. Hackers will host an exploit-pack
on the URL, so once the victim opens your website, it will try to exploit
one of the numerous vulnerabilities in their web browser, Adobe or Java,
and execute malicious code that will install a sophisticated backdoor on
the victim's system. Such an approach is much cheaper, faster and more
reliable than targeting the victim's corporate network which may be very
well protected and thus expensive to hack. You will probably not even
notice that anything is going on, nor will your hosting company.

You and your data can easily become a pawn in someone else's big game
without your knowledge. Globalisation, cloud technologies and outsourcing
processes have sent everyone's data on hundreds of different systems, and
thus made your systems, your mailbox and your website very attractive
targets for hackers. And if it's easier for hackers to compromise you
rather than somebody else to get what they are looking for, they'll soon
come and take what they need. If they haven't done so already.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!